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(57) ABSTRACT 

A system and method employs a password rule data provider 
that provides password generation rule data to a notification 
device, such as visual display device or audible output 
device. A password data evaluator, such as a per character 
password data evaluator, continuously evaluates password 
character data as its being entered and compares each 
character to the password generation rule data. A dynamic 
status data generator dynamically generates password rule 
status data, such as visual indication of which rule has been 
met or which rule has not been met as password data is being 
entered. 
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PASSWORD GENERATION METHOD AND 
SYSTEM 

HELD OF THE INVENTION 

The invention relates generally to systems and methods 
for facilitating initial entry during selection of password 
information, and more particularly to systems and methods 
for facilitating initial entry during password selection and 
generation that employ feedback as to whether or not a 
password has been properly initially entered or generated. 

BACKGROUND OF THE INVENTION 

With the increase in electronic information exchange, the 
use of passwords and other security authorization mecha- 
nisms for use with communication systems, computer 
systems, telephones and other devices, has become more 
important. As password cracking programs become more 
sophisticated, the length of passwords and types of varia- 
tions for character order, length, and character type have 
become increasingly complex to try to thwart programs and 
malicious personnel from determining a user's password to 
gain entry into a particular system, program, access to 
cryptographic keys or data in a storage medium. 

Generally, the more "random" a password, the more 
diflScult it can be to decipher. As a mechanism to assist users 
in entering suitably "random" passwords, some systems 
provide a text based list of rules through a graphic user 
interface that allow a user to read the rules prior to entering 
the password during login or during a password change 
operation. For example, if a particular password mechanism 
requires the use of at least one capital letter and at least one 
numerical character, the system provides visual rules in the 
form of text to the user that the user must enter at least one 
capital letter and one number as part of the password in order 
for the password to be accepted by the system. However, if 
the user fails to properly enter a desired character as pre- 
determined by the system, the user typically will not be 
notified of the improper entry until a suitable number of 
characters have been entered. Where the password is rela- 
tively long or where password selection is required 
frequently, this can be a cumbersome and frustrating pro- 
cess. In addition, conventional initial password entry sys- 
tems having multiple rules typically only notify a user of one 
rule that has been broken and a user must keep reentering 
password characters until the user finally enters tlae character 
(or password information) correctly. For example, if there 
are many different password entry rules, such as password 
length, nonredundancy of certain characters, capital letter 
character requirements and other requirements, a system 
typically will only notify the user of the first rule in the list 
that has not been met although many rules may not have 
been met by the user. Hence the user has to repelitiously 
correct the entry of password character information itera- 
tively to satisfy the next rule on the list. Moreover, conven- 
tional initial password entry systems typically do not per- 
form the password character and rule comparison until after 
the system receives password entry complete data, such as 
when a user hits the keyboard button or GUI button after or 
the user believes that a password has been entered. As such, 
a user does not know that the password may have been 
improperly entered until after the user notifies the system. 

Such problems become compounded when password rule 
data is configurable, such as in a system entitled "A Com- 
puter Network Security System and Method Having Uni- 
lateral Enforceable Security Policy Provision" described in 
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co-pending Patent Application No. 08/986,457, filed Dec. 8, 
1998 and assigned to instant assignee. In such systems, a 
central authority may designate through a signed certificate 
the password rules that the system requires for every user in 

S the system on a per user per application or per user class 
basis. These rules may be changed by a security manager or 
other personnel and it may be changed in a per user basis or 
other suitable basis frequently. As such, the rules continually 
change. It can be difficult to keep track of dynamically 

10 changing password rule requirements. 

Consequently, a need exists for a system and method for 
facilitating password generation or initial password entry 
that provides a continuous evaluation of password character 
data entry and dynamically generates failed rule information 

15 to a user on a dynamic basis so that the user need not wait 
until a password is completely entered to be informed that 
password has been improperly entered. In addition, it would 
be desirable if such a system allowed the use of configurable 
rule data so that if password entry rules are changed, the 

20 system automatically accounts for the rule changes without 
user intervention. It would also be desirable if such a system 
and method had flexibility in allowing the continuous evalu- 
ation and dynamic generation of rule data compliance on a 
variable character length basis. 

25 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a block diagram illustrating one embodiment of 
a system for facilitating password generation employing a 
centralized rule data provider and a dynamic status data 
generator in accordance with the invention. 

FIGS. 2a and 2b illustrate a flow chart depicting one 
operation of the system shown in FIG. 1. 

FIG. 3 is a flow chart illustrating the operation of a portion 
3^ of the flow chart of FIGS. 2a and FIG. 2b, 

FIG. 4 is a pictorial representation of a display screen 
showing password generation rule data and corresponding 
password rule status data in accordance with one embodi- 
ment of the invention. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENT 

Briefly, a system and method employs a password rule 
data provider that provides password generation rule data to 

45 a notification device, such as visual display device or audible 
output device. A password data evaluator, such as a per 
character password data evaluator, continuously evaluates 
password character data as its being entered and compares 
each character to the password generation rule data. A 

50 dynamic status data generator dynamically generates pass- 
word rule status data, such as visual indication of which rule 
has been met or which rule has not been met as password 
data is being entered. 

In one embodiment a policy certificate analyzer receives 

55 signed policy certificate data from a trusted authority unit. 
The policy certificate includes configurable password gen- 
eration rule data that may be distributed to a plurality of 
users to facilitate centrahzed rule data compliance but whose 
rules can be flexibly modified. The system and method 

60 facihtatcs, in another embodiment, a variable character 
length evaluation mechanism so that rules are not evaluated 
until a predefined number of characters have been entered. 
The system and method continuously evaluates password 
data as it is being received and continually updates password 

65 notification information to a user to provide, in effect, real 
time feedback before the system receives password entry 
complete data. 
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FIG. 1 shows one example of the apparatus for facilitating 
password generation 10 incorporated into a computer net- 
work system. It will be recognized that the apparatus 10 may 
be utilized in a standalone unit if desired or any suitable 
system. The apparatus 10 may be a suitably programmed $ 
computer or any other suitable hardware/software combina- 
tion if desired. The apparatus 10 includes a policy certificate 
analyzer 12, a password generation rule data provider 14, a 
dynamic status generator 16 and a password character 
change evaluator 18. The apparatus 10 provides in this 
embodiment, password generation rule data 20 that is in text 
form to a notification device 22 such as a display device, 
audible device such as a speaker, or other suitable user 
notification device. A password character input device 24 
allows a user or other software application to input password 
data characters to the apparatus 10. The password character 
input device 24 may be a keyboard, voice recognition 
system, software application, or any other suitable input 
mechanism. 

When used in a computer network system, the apparatus 20 
10 may be operatively coupled to a manager server which 
has software serving as a policy certificate generator 26. The 
manager server with policy certificate generator 26 may 
generate public key certificates, such as those that are 
compliant with ITU-T Recommendation X.SOOstandards as 25 
known in the art, or any other suitable certificate mechanism 
where a trusted authority signs information through a cryp- 
tographic mechanism for use by a relying party. In this 
embodiment, the policy certificate generator 26 and the 
apparatus 10 use public key cryptography techniques, as 30 
known in the art, to verify policy certificate data. One 
example of a policy certificate generator may be found for 
example in co-pending patent application entitled, "A Com- 
puter Network Security System and Method Having Uni- 
lateral Enforceable Security Policy Provision", Patent Appli- 35 
cation No. 08/986,457, filed Dec. 8, 1998, assigned to 
instant assignee, and hereby incorporated by reference as 
though fully stated herein. The policy certificate generator 
26 generates certificates that contain password generation 
rule data that is used by a plurality of nodes such as a node 40 
containing apparatus 10. In this way, a centralized security 
mechanism is provided to ensure that all nodes or specific 
class of users use the same password generation rule data. 

The policy certificate analyzer 12 pulls the password 
generation rule data from a policy certificate 30 received 45 
from the policy certificate generator 26. For example, certain 
fields of a policy certificate or data elements of a policy 
certificate include data representing rules by which pass- 
words are required to be entered before being accepted as a 
complete password. The policy certificate analyzer 12 50 
receives a signed policy certificate 30 from the policy 
certificate generator which is a trusted authority unit. The 
policy certificate 30 includes configurable password genera- 
tion rule data configured by the trusted authority. It may be 
configurable, for example, on a per user class basis such that 55 
all users that require higher levels of security, for example, 
receive different password entry rule data than users who are 
in a class that do not have access to secret information in the 
network. Once analyzed, the policy certificate analyzer 12 
outputs password generation rule data 32 which may be, for 60 
example, configurable password entry data or password 
generation rule data that must be met before the password is 
accepted by the apparatus 10. 

The password rule data provider 14 provides password 
generation data to the notification device 22. As previously 65 
mentioned, the password generation rule data may be in the 
form of a list of rules (e.g., in the form of text) that a user 



may look at to know which character data needs to be 
entered for an acceptable password as well as data used by 
the apparatus to compare whether entered password char- 
acter data complies with the rule data. The password gen- 
eration rule data provider outputs password rule identifica- 
tion data 34 to the password character change password 
evaluator 18. The rule ID data 34 is used to select the 
configured rules from a pool of rules 36 stored for use by the 
password character change evaluator. For example, a pool of 
rules may contain a list of a total of thirty password rules, 
any of which may be selected as configured by the policy 
and certificate generator 26. As such the rule ID data acts as 
a switch to turn on only those rules required to be output to 
the notification device as password generation rule data 20. 

The password character change evaluator 18, in one 
embodiment, operates as a per character password data 
evaluator that continuously evaluates the password character 
data on a per character basis in view of the password 
generation rule data by comparing the password data char- 
acter change information 38 received from the password 
data input device and the selected rules identified by the rule 
ID data 34. Accordingly, when a user enters a single 
character, the per character change password evaluator 18 
determines which, if any, of the sets of rules have been met 
and outputs pass/fail status data 40 as output on a per rule 
basis to the dynamic status data generator 16. The dynamic 
status data generator 16 dynamically generates password 
rule status data associated with each given rule data that has 
been selected from the pool based on each changed or 
entered password character. The dynamic status data gen- 
erator 16 outputs status data 42 to the notification device 
continuously as password characters are being input. The 
status data 42 may be, for example, a visual indication or 
check mark that a rule from the text password generation 
rule 20 has been satisfied by the last entered character. The 
dynamic status generator 16 by dynamically generating 
password rule status data facilitates real time feedback for a 
user on a per password character basis so that user need not 
wait until the end of the entire password character string is 
entered before knowing whether or not the password was 
properly entered. Moreover, the status data being visually or 
audibly displayed on a continuous basis, for example, after 
each character has been entered, provides immediate visual 
feedback for the user so that the user can know exactly 
which rule has not been met or has been met by the entry of 
the last password character that has been entered into the 
password data input device 24. 

Also, the per character change password evaluator 18 
generates acceptance password change data 44 to the noti- 
fication device 22 when all of the rules have been met. As 
such, there is no need for a user to activate password entry 
complete data as the per character change password evalu- 
ator 18 will automatically generate the acceptance password 
change data when there have been enough characters entered 
or, for example, where all characters that have been entered 
conform to the configured rule data. 

The per character password data evaluator 18 evaluates 
password character data on a predefined character length 
basis against each rule corresponding to the password gen- 
eration rule data prior to receiving complete entry data or 
generating acceptance password change data. Also, the 
dynamic status generator 16 generates the password rule 
status data 42 upon a change in rule status, prior to receiving 
complete entry data, based on the continuously evaluated 
password character change data 38. The password mle status 
data 42 includes confirmation data, such as a checkmark or 
other data corresponding to display rules that have been met 
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SO that the user can visually or audibly determine in a real the retrieved policy certificate to create both the text based 

time manner which rules have been met or if rules have not rule data to display on the notification device and enables the 

been met. The password rule status data 42 may include system to check the identified rules that were indicated on 

non-confirmation data such as data indicating that rule data the retrieved policy certificate as shown in block 68. As 

has not been satisfied. Preferably, the password mlc status s shown in block 70, the system receives the password data 

data 42 includes both non-confirmation data and confirma- character change information 38 input through the input 

tion data so that the user can visually or audibly determine device on a per character basis, or other suitable character 

immediately which rules have and have not been met. length basis as selected through the policy certificate. As 

In other words, the per character password data evaluator shown in block 72, the system continuously evaluates each 

18 provides continuous password character rejection data jq configured rule on a per character change basis prior to 

and/or acceptance data on a per character basis (predefined receiving complete notification data and generates the 

character length basis may be one or more characters) in appropriate status feedback data (e.g., password rule status 

response to continuously evaluating the password data 38 ^^^a) for the notification device. The appropriate password 

prior to receiving password entry complete data. In other nile status feedback data is dynaniicaJly generated on a 

words, the per character password data evaluator 18 pro- continuous basis. As shown in block 74, the system deter- 

vides continuous password character rejection data and/or "^"'f "^^^^^^^ the password rule status data is equal to 

, . .u'/jcji. connrmation data tor all rules, meaning that all selected 

acceptance data on a per character basis (predefined char- ^^^^ ^^^^ ^^^^ ^ ^^^^^^^^^ ^^^^^ ^^^^ ^^^^ 

acter length basis may be one or more characters) in ^^^^ ^^^^^^^ ^ ^j^^ ^^^^^ ^^^^^^^^ ^^^^^^ 

response to continuously evaluating the password data 38 ^j, ^ata indicates that all rules have been met, the system 

pnor to receiving password entry complete data. However, ^^^.^ept the changed password and generates the accepted 

it wQl be recognized that the system ultimately will generate password change data as shown in block 76. However, if the 

either one or the other type of data if desired. Alternatively, password rule status data indicates that non-confirmation 

the evaluator 18 evaluates password character data on a data still exists, the system returns to block 70 awaiting the 

single character basis after an initial predefined character receipt of new character data. 

length has been reached. For example, the system may allow Returning to block 64, if the system cannot retrieve a 

entry of three characters before evaluation and continuous policy certificate, which may occur, for example, if the 

per character evaluation on each entered character thereafter. system is no longer connected to the network, the system 

Also if desired, the apparatus 10 may include a variable determines whether any policy certificate has been cached or 

character length selector that selects the number of password stored locally as indicated in block 78. If a prior policy 

characters that are continuously evaluated to determine 30 certificate has been cached locally, the system loads the 

whether password generation rule data has been satisfied. password generation mle data from the cached policy cer- 

For example, the variable character length selector may be ^^ficate as shown in block 80 and uses that rule data as the 

selectable by or through policy certificate data in the policy designated password generation rule data. If no previous 

certificate 30 so that the system will evaluate three charac- P°i^^y certificate has been cached locally the system loads 

ters versus each individual character, if desired. 35 uf U m f °f f 

^ . „ . , , . block 82 and uses the default password generation mle data 

The apparatus 10 may optionally include a preliminary the basis for determining whether password is properly 

password data generator 50 that is used upon initialization of entered 

a user that has not entered a password previously. For FIG. 3 illustrates the additional process that is used if the 

example, durmg the first login the prehmmary password password is the first password that has been entered for the 

data generator 50 obtains password generation rule data 32 40 user. Blocks 90-96 take the place of blocks 62 and 64 in 

prior to the apparatus 10 receiving password data character piG. 2a As shown in block 90, the system receives user 

change information 38. The preliminary password data identification data such as the name of a user, or where the 

generator 50 may generate, for example, a random password security profile information is stored, such as in a public/ 

that is used to send policy certificate request data 52 to the private key cryptographic system, the storage location for 

policy certificate generator 26 to obtain the policy certificate 45 the secret signing key and the secret decryption key. The 

30 the very first time the user enters or desires a login. In this system then generates a preliminary password using, for 

way, the system may automatically obtain the configurable example, a random number generator so that the password 

password generation rule data based on a secure type of may be used to obtain the policy certificate for the first time, 

password since the system cannot authorize a final password This is shown in block 92. As shown in block 94, the system 

based on the input data. 50 creates user data, such as the cryptographic keys and any 

FIGS. 2a and 2b illustrate an example of a method for other suitable information using the preliminary password, 

facilitating password generation when a change in password As shown in block 96, the system obtains the password 

is desired. As shown in block 60, the system provides a generation rule data from the policy certificate obtained 

graphic user interface or other suitable interface for a user to from the centralized authority using the user data based on 

indicate that a change in password is desired. As shown in 55 the preliminary password. The system then continues to, 

block 62, the user enters password character change infor- instead of block 66 in FIG. 2^, prompt the user to enter the 

mation 38 through the data input device 24 in the form of a password for the first time. 

current password. Hie system then determines whether it As described herein, the system uses in one embodiment, 

can retrieve from an X.500 type directory the policy certifi- configurable rule data and dynamically updates rules based 

cate associated with the user to obtain the currently config- 60 on the configurable rule data from a policy certificate or 

ured password generation rule data as shown in block 64. If other source and displays the new rules to the user in the 

the system can retrieve the policy certificate associated with form of text data or in the form of audible information if 

the user, the system processes the request data to change the desired. The system reevaluates the entire password field on 

password as indicated in block 66. The change data for the each change in character without requiring a complete entry 

password, such as password data character change 65 notification signal from the system or from the user, such as 

information, is entered by the user through the input device entering a return key or hitting a button in the graphic user 

and the password generation rule data is evaluated based on interface. 
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As previously noted, the apparatus 10 and methods dis- generating the password rule status data upon a change in 

closed herein in the various embodiments may be imple- rule status, prior to receiving complete entry data, based on 

men ted using a programmed computer or other processing the continuously evaluated password data, 

device and as such, the program instructions used to perform 5. The method of claim 1 wherein password rule status 

the operations of the various apparatus and methods may be 5 ^^ta includes confirmation data corresponding to display 

stored on a storage medium, such as a CDROM. digital tape rules that have been met. 

or any other suitable storage medium, that is run by the ^- ^^^^^^ ^1^1™ 1 wherein password rule status 

processing unit. A storage medium may have different data includes non-confirmation data indicating that mle data 

locations containing data representing executable instruc- ^^^^ satisfied. 

tions that cause a processing device to provide password lo ^- °ie»^od of claim 1 wherein password rule status 

generation rule data to a notification device; receive pass- ^^^^ includes non-confirmation data mdicating that mle data 

word data in response to providing the password generation satisfied and includes confirmation data corre- 

rule data; cominuously evaluating the password data as it is sponding to display rules that have been met, 

being received in view of the password generation rule data; ^- ^he method of claim 1 including the step of geaerating 

and dynamically generating, for the notification device, is preliminary password data to obtain the password generation 

password mle status data associated with each given rule in rule data prior to receivmg the password data, 

the rule data. The storage medium may also have instruc- ^- method of claim 1 including providing continuous 

tions thai cause the processing unit and trusted authority as password character data rejection on a per character basis in 

described above. For example, the storage medium also response to continuously evaluaUng the password data, prior 

includes data representing executable instructions that cause 20 receiving password entry complete data, 

the processing device to receive configurable password ^^ethod of claim 1 including selectively varying 

generation rule data configured by a trusted authority. ^ character length associated with a number of password 

™^ ^ -. iT . u- characters after which each subsequently entered character 

FIG. 4 pictonally represents a display screen showmg ^. , j 

*- ij*inj J- IS continuously evaluated to determmc whether password 

password generation mle data 20 and conespondmg pass- /j... .-^ij 

^ . 1^. j.^', *j « w» J L 1 K generation rule data has been satisfied, 

word rule status data 42 represented as X s and check -^^^^r™ ^lj^i-j. 

1 A u J- 1 / • * . J * r • II- The method of claim 4 wherein password rule status 

marks. As shown, a display device outputs the data for view j . • i j n j . ■ / .t. . i j . 

, rn. ; J i_ * J J data includes non-conflrmation data indicating that mle data 

by a user. The user enters the password character data and . ^, .-cjj-ij n .-j. 

* * *t. J 1 * * J * .i_ has not been satisfied and includes confirmation data corre- 

the processor outputs the password rule status data as the ^ j- i i ^i. . i_ i_ 

^ , . f ,t • * 1 sponding to display rules that have been met. 

user enters the data. As shown, the user m this example ^-i * / r r m-. ^- _i 

1 ^ J , ^ ^1. * • J* . J *!. * 12. An apparatus tor lacuitating password generation 

improperly entered characters that indicated that the pass- . . ^ ^ ^ 

word rules were not met since the entered password does not comprismg. , , , . , . 

contain a numeric character as indicated by the "X'-'s. Hiose ^^"^^ P™''' ™ ' f P^°^«^^f P™^'?*" 

rules that have been met have a check mark by them. P"^^"^'' generation rule data to a notification device; 

, u J * J *u * *u • 1 * «• r *i. at least one per character password data evaluator, opera- 
It should be understood that the implementation of other 1 tj* ■ J U * J * *u * 
, J O ^- r • •* - 35 tively coupled to receive password character data, that 
variations and modifications of the invention m its various / \ i . j u * j 1 

, w *L c J- 1 -11 ■ .1. * continuously evaluates the password character data on 

aspects will be apparent to those of ordinary skill in the art, , * u ■ • • ^ 

J . *t. ■ f- ' .1- ji_ .1. r- I. J- a per character basis m view of the password generation 

and that the mvention is not limited by the specific embodi- ^^^^ ^ 

mentsdescribed.lt is therefore contemplated to cover by the , ' , ■ ^ . , 

present invention, any and all modifications, variations, or ^^^^\ ^y^^^^nic status data generator operative y 

equivalents that fall within the spirit and scope of the basic "^^P^^^ notification device, that dynamically 

underiying principles disclosed and claimed herein. generates password rule status data associated with 

What is claimed is- given mle in the rule data based on each password 

1. A method for facilitating password generation com- .J^^^^^^^^' ^ , . 

prising the steps of: apparatus of claim 12 including a pohcy cerufi- 

, ..^ 45 cate analyzer Operative ly coupled to receive a signed policy 

providing password generation rule data to a notification ^^^^^^^^ ^ ^^^^^^ ^^^^^^^^ ^^^^^^ ^^^^ 

policy certificate includes configurable password generation 

receiving password data in response to providing the ^ule data configured by the trusted authority, 

password generation rule data; 14 apparatus of claim 12 wherein the per character 

continuously evaluating the password data as it is being 50 password data evaluator evaluates password character data 

received in view of the password generation rule data; on a predefined character length basis against each rule 

and corresponding to the password generation rule data prior to 

dynamically generating, for the notification device, pass- receiving complete entry data and wherein the dynamic 

word rule status data associated with each given mle in status data generator generates the password rule status data 

the rule data. 55 upon a change in rule status, prior to receiving complete 

2. The method of claim 1 wherein providing password entry data, based on the continuously evaluated password 
generation rule data includes receiving configurable pass- data. 

word generation rule data configured by a trusted authority. 15. The apparatus of claim 12 wherein password rule 

3. The method of claim 2 wherein the trusted authority status data includes confirmation data corresponding lo 
unit generates a public key policy certificate containing the 60 display rules that have been met. 

configurable password generation rule data. 16. The apparatus of claim 12 wherein password rule 

4. The method of claim 1 wherein the step of continuously status data includes non-confirmation data indicating that 
evaluating the password data includes evaluating password mle data has not been satisfied. 

data on a predefined character length basis against each rule 17. The apparatus of claim 12 wherein password rule 

corresponding to the password generation rule data prior to 65 status data includes non-confirmation data indicating that 

receiving complete entry data and wherein the step of mle data has not been satisfied and includes confirmation 

dynamically generating password rule status data includes data corresponding to display rules that have been met. 
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18. The apparatus of claim 12 including a preliminary 
password data generator that obtains the password genera- 
tion rule data prior to the apparatus receiving the password 
data. 

19. The apparatus of claim 12 wherein the per character 
password data evaluator provides continuous password char- 
acter data rejection on a per character basis in response to 
continuously evaluating the password data, prior to receiv- 
ing password entry complete data. 

20. The apparatus of claim 12 including a variable char- 
acter length selector that selects a number of password 
characters after which each subsequently entered character 
is continuously evaluated to determine whether password 
generation rule data has been satisfied, 

21. The apparatus of claim 14 wherein password rule 
status data includes non-confirmation data indicating that 
rule data has not been satisfied and includes confirmation 
data corresponding to display rules that have been met. 

22. A storage medium comprising: 

memory containing data representing executable instruc- 
tions that cause a processing device to provide pass- 
word generation rule data to a notification device; 
receive password data in response to providing the 
password generation rule data; continuously evaluating 
the password data as it is being received in view of the 
password generation rule data; and dynamically 
generating, for the notification device, password rule 
status data associated with each given rule in the rule 
data. 

23. The storage medium of claim 22 containing data 
representing executable instructions that cause the process- 
ing device to receive configurable password generation rule 
data configured by a trusted authority. 
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24. The storage medium of claim 23 containing data 
representing executable instructions that cause a trusted 
authority unit to generate a public key policy certificate 
containing the configurable password generation rule data. 
5 25. The storage medium of claim 22 containing data 
representing executable instructions that cause the process- 
ing device to evaluate password data on a predefined char- 
acter length basis against each rule corresponding to the 
password generation rule data prior to receiving complete 
entry data and to generate the password rule status data upon 
a change in rule status, prior to receiving complete entry 
data, based on the continuously evaluated password data. 

26. The storage medium of claim 22 containing data 
J 2 representing executable instructions that cause the process- 
ing device to generate preliminary password data to obtain 
the password generation rule data prior to receiving the 
password data. 

27. The storage medium of claim 22 containing data 
20 representing executable instructions that cause the process- 
ing device to provide continuous password character data 
rejection on a per character basis in response to continuously 
evaluating the password data, prior to receiving password 
entry complete data. 

25 28. The storage medium of claim 22 containing data 
representing executable instructions that cause the process- 
ing device to selectively vary a character length associated 
with a number of password characters after which each 
subsequently entered character is continuously evaluated to 

30 determine whether password generation rule data has been 
satisfied. 

♦ ♦ * ♦ * 
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